Since the effort toward definition of information security practice began in the early 1990s, the issues and approaches have been continuously evolving. The ability to demonstrate effectiveness in information security is no longer an option, but an imperative in the interconnected ecosystem that enables business. The update to BS 7799 recently released by ISO/IEC provides an excellent foundation toward defining an Information Security Management System (ISMS). An understanding of the standard’s recommendations for demonstrating effectiveness of the ISMS is essential to realize the full potential of this definition and standardization of information security practice across businesses. The benefits of implementing measurement-based ISMS will only increase as demands for assurance of sound information management practices intensify.
Companies will be well-served to start now with an ISO/IEC 27001 based ISMS implementation.